The “Meat” of the Issue
On May 31, 2021, JBS Foods, the world’s largest meat supply, experienced a ransomware attack. Then on July 2, 2021, along with other IT management companies, the major software supplier, Kaseya Ltd., also suffered a ransomware attack. These high-profile attacks signify the upward trend in the sophistication and frequency of cyber-attacks on major U.S. companies and infrastructure. The recent and devastating ransomware attacks on Kaseya and JBS alert all of us to the possibility of suffering our own ransomware attacks and the need to take steps to avoid becoming the next victim.
Kaseya, an Ireland-based company with its headquarters in Miami, designs and develops IT software to help businesses manage their computer systems. Kaseya has been described as a leading provider of IT and security management for MSPs (managed service providers) and enterprise clients. The platform has been used by over 36,000 MSP customers worldwide. The recent ransomware attack targeted the company’s remote platform system, VSA (virtual system administrator), which helps manage and monitor various network systems. Vulnerabilities in the VSA software were used to target the companies several MSPs and customers. The notorious Russian-speaking hacker group, “Ransomware Evil” or “REvil” is suspected of mounting the attack. REvil demanded $70 million in ransom for a descriptor key to unlock the victim’s files. Kaseya spokeswoman Dana Liedholm did not state how the company obtained the key but did say that it came from a “trusted third party” and that it was being distributed to the victims.
The ransomware attack allegedly occurred due to multiple company vulnerabilities, including a recently cited issue in the company’s code. According to a Bloomberg report, five former employees of Kaseya claim there was a consistent lack of cybersecurity. According to the former employees, the “vulnerabilities” Kaseya attributed the attack to could have been a combination of outdated codes, weak encryption and passwords, and a lack of basic cybersecurity practices. Kaseya has publicly announced they are working to patch these “vulnerabilities”.
Security experts also claim that MSPs are vulnerable targets for ransomware attacks because they are smaller businesses. Rick Holland, vice president of strategy at the threat intelligence firm Digital Shadows, says, “[MSP] victims are a desirable target as they may not have the means to eradicate the adversary and restore their IT systems, forcing them to pay the ransom”. The hacker group chose to target Kaseya over the Independence Day weekend, when fewer employees were working and managing their computer systems.
As of July 21, Kaseya issued an update on their current version of VSA software to “remediate functionality issues encountered by the enhanced security measures recently put in place, and to provide minor bug fixes”.
Prior to the Kaseya attack, REvil executed a large-scale cyber-attack on global meat processing company, JBS USA Holdings, Inc. (“JBS”), a Brazil-based company, currently accounts for 20% of the world’s daily cattle harvest, supplying the U.S. with 25% of all its beef and 20% of all its pork. This ransomware attack led to major shutdowns of nine U.S. meat processing plants, as well as reported shutdowns in Canada and Australia.
JBS did not reveal how the hacker group invaded their systems. JBS previously was advised to invest in “specialist monitoring technology” due to the weaknesses found in the company’s security during a cybersecurity audit conducted between 2017 and 2018. The audit revealed the overall potential for infrastructure hacking. However, JBS refrained from strengthening its cybersecurity, viewing it as too expensive and an unnecessary investment.
5 Best Practices to Help Avoid Becoming the Next Victim
These recent cyber-attacks demonstrate the importance of organizations employing a broad array of security and data protection measures, and continuously updating them. As the sophistication and number of cyber-attacks increase, businesses and companies need to take the necessary steps to identify and address unique cyber security vulnerabilities. To decrease their risks, organizations should implement the following best practices, among others:
- Employ a data backup and recovery plan for all critical information. A backup system should follow the 3-2-1 principle: Retain 3 copies of data (1 primary copy and 2 backup copies), store the backup copies on 2 different media systems (e.g., disk, fixed tape), and ensure that 1 of these copies is secured in an off-site location, disconnected from a network. Ransomware attackers sometimes attempt to destroy backup systems before deploying malware. Multiple, secure backup strategies help to protect against the possibility of a company permanently losing all its data.
- Be particularly careful with personal emails. Personal emails are a common target for ransomware threat actors because personal email systems are often less secure than business emails. Further, users tend to be less cautious about the potential for phishing emails. Treat personal emails with the same level of caution that you would treat business emails. Never click a link, button, or image in an email unless you have verified it was sent from a legitimate source and URL.
- Educate your employees and implicate routine training. Employees are the first line of defense when it comes to online threats. Many ransomware attacks in organizations occur because employees are not aware that emails or links can be malicious. Many of these emails hold links that can spread malware. Implementing effective employee training that is focused on identifying social engineering, phishing attempts, and other scams and taking necessary steps to implement the organization’s response plan are critically important parts of protecting your organizations data.
- Implement security features. Commonly used security features that can be helpful in preventing and monitoring for a ransomware attack include:
- Virtual Private Network: A Virtual Privately Network (“VPN”) hides an IP address when accessing the web. This makes it harder for malware to target computers and data.
- Antivirus: Antivirus software detects and destroys computer viruses. Systems are regularly threatened by new viruses, spyware, and malware. Antivirus updates are designed to combat new threats that could potentially cripple systems.
- Data encryption: Data encryption encodes and decodes information. Encrypted messages can only be accessed or decrypted by a user with the correct encryption key. Encryption can also be used to prevent malicious parties from accessing personal or company data.
- Email spam filter: Email filtering is used to analyze incoming emails for “red flags” (e.g., gaudy fonts, large images, or attached documents) that could potentially be spam, phishing content or harmful. This software then moves those emails into a separate folder, and users have the option to block the email. If the email is blocked, the software will reject the email altogether, and further restrict emails from that sender.
- Internet firewall: An Internet firewall can be software, hardware, or cloud based. Internet firewalls are aimed to filter traffic and block outside access to private data on a computer to protect the overall network systems. Firewalls vary in terms of security offerings, level of expense, and resources required. For example, organizations who need a basic level of protection may choose a circuit level gateway firewall, which uses minimal time and resources. Others may choose a proxy firewall that offers a high level of data protection but requires more time and resources to protect the network system.
- Create a cyber response plan. Last year, according to the 2021 Verizon Data Breach Investigation Reports, the number of ransomware attacks nearly doubled in frequency in the past year. In 2020, there reportedly were over 65,000 data breaches, resulting in ransomware payments of more than $350 million. Preparing for a ransomware attack is critical because every organization is at risk. Lack of a response plan can lead to premature, impulsive decisions. For example, some companies focus their efforts on quickly regaining encrypted data instead of on trying to identify and halt the spread of malware in the system. A response plan should include not only steps the IT team needs to take to prepare, identify, contain, eradicate, and recover from a potential security breach, but also steps the company needs to take to notify stakeholders and affected data subjects. An incident response plan helps to ensure that, in the event of a security breach, the right personnel and procedures are in place to effectively deal with a threat. It also puts into place a potential structured investigation to contain and remediate the threat.
As the recent ransomware attacks indicate, no company, small or large, is exempt from becoming a target to hackers. If companies do not implement good data breach prevention, identification, and response practices like the ones suggested above, they risk becoming the next victim. https://www.bankinfosecurity.com/kaseya-focus-new-supply-chain-ransomware-attack-a-16986
Fey LLC Information Governance Analyst Interns Grace Cross and Maeve McKinney contributed to this post.